Virtual Assets: Guidance Issued by FATF

The Financial Action Task Force (FATF) last week provided the greatest clarity to date on how the Anti-Money Laundering and Countering Financing of Terrorism (AML/CFT) regime applies to virtual assets (VAs) and virtual asset service providers (VASPs).

Last week’s Plenary also marks the end of Marshall Billingslea of the United States’ Presidency of the FATF. Xiangmin Liu of the People's Republic of China now assumes the Presidency of FATF. While the President essentially has an administrative position, he or she decides on the focus of the agenda, and it remains to be seen if Chinese leadership will indicate a new direction.

Who needs to read it? Why?

VASPs have long been waiting for clarity as to not only how their business will be regulated, but what compliance would look like in practice. The new Guidance will be a crucial source of material to assist New Zealand regulators and relevant businesses on how VASPs will need to meet their obligations under New Zealand’s AML/CFT Act 2009.

What does it cover?

The new Guidance is intended to help governments understand and develop regulatory and supervisory responses to VASPs and VA activities. It makes clear it will be up to each country to decide how to specifically implement the FATF Recommendations in relation to VASPs and VAs, taking the Guidance into account. However, the Guidance provides a good idea for those in the sector about what general obligations they should expect to comply with.

The Guidance also updates FATF’s previous Guidance for a Risk-Based Approach to Virtual Currencies published in 2015, which, in general, focused on virtual currency activities only to the extent they involved fiat on and off ramps. The Guidance provides detail on:

examples of risk indicators that should specifically be considered in a VA context;

how VASPs and VA activities fall within the scope of the FATF Recommendations;

the range of obligations applicable to VASPs and VAs; and

the registration and licensing requirements of VASPs.

While, on its own, the Guidance does not change the letter of New Zealand’s AML/CFT Act, it is likely to guide its interpretation by the three supervisors, namely the Reserve Bank of New Zealand, the Financial Markets Authority, and, most importantly, the Department of Internal Affairs (DIA), now that DIA has assumed the lead role for VASPs. There is plenty of room, as DIA stated publically in April 2019, for financial services provided by VASPs to fall within the existing definition of a ‘financial institution’ in the AML/CFT Act.

What are VAs and VASPs?

A virtual asset is, according to the Guidance, a “digital representation of value that can be digitally traded, or transferred, and can be used for payment or investment purposes. Virtual assets do not include digital representations of fiat currencies, securities and other financial assets that are already covered elsewhere in the FATF Recommendations”.

The nature of a VA is extremely broad and will capture any “property,” “proceeds,” “funds”, “funds or other assets,” or other “corresponding value”. Accordingly, VAs not only encompass cryptocurrencies but also many types of digital tokens.

A virtual asset service provider means any natural or legal person who is not covered elsewhere under the Recommendations, and as a business conducts one or more of the following activities or operations for or on behalf of another natural or legal person:

exchange between virtual assets and fiat currencies;

exchange between one or more forms of virtual assets;

transfer of virtual assets (meaning to conduct a transaction on behalf of another natural or legal person that moves a virtual asset from one virtual asset address or account to another);

safekeeping and/or administration of virtual assets or instruments enabling control over virtual assets; and

participation in and provision of financial services related to an issuer’s offer and/or sale of a virtual asset.

It is important to emphasise that the scope of the FATF definition includes virtual-to-virtual transactions and services. It is not simply virtual-to-fiat activities that need to be regulated. This represents a significant shift from the position under the 2015 Guidance referred to above.

Key points to note

The Guidance provides important context and commentary on how VASPs and VAs should be regulated. Moving forward, there are some key points that businesses involved in the sector should be alert to:

VASPs will need to be licensed or registered in the jurisdiction where their place of business is located.

VASPs need to ensure that they have undertaken a full risk assessment of their business and implemented an AML/CFT programme to meet their obligations under the AML/CFT Act. VASPs should refer to the new Guidance in their programmes to ensure their processes align with best practice.

In particular, the Guidance also clarifies that VASPs that engage in VA transfers will need to obtain, hold, and transmit customer information. The required information for each transfer includes the:

originator’s name (i.e., the sending customer);

originator’s account number where such an account is used to process the transaction (e.g., the VA wallet);

originator’s physical (geographical) address, or national identity number, or customer identification number (i.e., not a transaction number) that uniquely identifies the originator to the ordering institution, or date and place of birth;

beneficiary’s name; and

beneficiary account number where such an account is used to process the transaction (e.g., the VA wallet).

Our view

It should be of no surprise to those working in the space that VASPs and VAs are to be regulated. Indeed, many participants were calling for it to add clarity and legitimacy to their business.

The real question is how legislators and regulators in different countries will take the Guidance and apply it. The Guidance calls for a technology-neutral approach and ultimately for countries to respond with an appropriate risk-based approach. In our view, VASPs should not necessarily be treated more strictly than their more traditional counterparts.

In New Zealand, the relevant government agencies must now think hard about how to regulate VASPs and VAs to not create disproportionate compliance costs relative to the risks and to promote innovation and growth in the sector, while managing the acknowledged risks.

It is also important that the Guidance is applied in a way which is comparable to other well-regulated jurisdictions, if New Zealand does not wish to see a material proportion of its fledgling fintech sector relocate to other countries, some of which have strategic targets to become regional fintech hubs. If that was the outcome, it would not reduce the global risk of money laundering or terrorism financing at all, and perhaps not even the risk in New Zealand, as those entities would be able to offer their services back into New Zealand. But what it would mean is that talented New Zealanders would need to export themselves rather than their services, basing themselves in those other jurisdictions, meaning that they would not contribute to the New Zealand economy, and tax base.

As indicated above, in April 2019, DIA provided its own guidance that VASPs are regulated under the AML/CFT Act, on the basis that financial services provided by VASPs fall within the existing definition of a ‘financial institution’.

The position that VASPs are currently regulated in New Zealand based on wording dating from 2009, mere months after Satoshi Nakamoto first published his/her/their paper on bitcoin, and the lack of supporting, practical guidance as to how to comply are unhelpful to those in the industry, already causing some innovators to consider seeking more certain regulatory regimes elsewhere.

The VA sector is still relatively new and evolving, understandably making it difficult for legislators and regulators to commit to specifics.

However, the publication of the Guidance, and the call by FATF for countries to revisit their regulation of VASPs, presents an opportunity for New Zealand to design a specific “fit for purpose” regime by introducing new definitions of VAs and VASPs into the AML/CFT Act and providing specific regulations and guidance, much as the government did recently in Phase 2 for lawyers, accountants and real estate agents, amongst others. This is to be much preferred over relying on statutory language from more than 10 years ago, which predates the technology it is seeking to cover, and international agreements which have not been approved by the New Zealand Parliament. It also removes the risk of a judicial challenge to the DIA as regulator, based on the argument that the ambiguity in a penal statute should be resolved in favour of the private citizen rather than the state.

Arguably, New Zealand is uniquely positioned to achieve an appropriate, modern regime for VASPs that permits responsible innovation while managing money laundering and terrorism financing risk, given the smallness of the country and the history of close working between government and private sector to develop regulation, for example in the capital markets. That can be resolved with proactive engagement between the public and private sector. The arrival of this long-awaited Guidance should provide a solid mandate and base to begin such discussions.

Fundamentally, VASPs now need to know, with certainty, in what situations they are regulated in a New Zealand context and, if they are, how compliance is to be achieved. Here are just some questions that need clarification:

Under what activity of the AML/CFT Act do VA activities fall? While VASPs may be regulated, it is not always clear what financial activities are undertaken for the purposes of the AML/CFT Act, or what categories they need to register under on the Financial Service Providers Register;

How do existing AML/CFT exemptions apply? Many VAs pose little risk and are caught only because of their digital nature. Unless existing exemptions are broadened to apply or new exemptions are issued, VASPs will be significantly disadvantaged relative to businesses that undertake the same activities without the use of tokens. This reinforces the need for a technology-neutral approach by focusing on the financial conduct or activity rather than the fact something might be tokenised;

How do VASPs practically meet their obligations? Notwithstanding the difficult business questions of how CDD is to be undertaken, even relatively simple tasks such as completing an annual report create confusion because the forms do not provide for or align with how VA activities work.

To the extent regulation is not expressly made to cover VASPs and VAs, it is essential that guidance and support is available to assist businesses to accurately meet their obligations.

What next?

Any VASPs or businesses dealing in VAs should be alert to their obligations under New Zealand law (the AML/CFT Act). They should also consider contacting the Ministers of Justice and of Commerce to ensure they are aware of the opportunity which the publication of the FATF Guidance presents for New Zealand.

On the part of the government, New Zealand will need to consider whether and how its legislation needs to be amended and/or guidance issued to respond to the developments by FATF and comply with its international obligations.

FATF has given countries 12 months to give effect to the Guidelines, with a review set for June 2020. New Zealand is also subject to its own mutual evaluation by FATF in 2020. Accordingly, legislators and regulators will be motivated to demonstrate New Zealand’s alignment with international standards.

If you have any questions on how the AML/CFT regime applies to your business, please contact one of our experts.